Kharon Agent - Overview

  • HTTP/S Listener

    • Proxy settings

    • SSL

    • Malleable profile

  • KillDate and WorkingTime control

  • Reverse port forwarding support

  • Socks5 Proxy

  • Sleep Obfuscation (timer)

  • Heap Obfuscation

  • Token Manipulation

  • Process Explorer

  • File Explorer

  • Fork with spawn and explicit method

  • Stack Spoofing + Indirect Syscall

  • BOF API Proxy to proxy bof api execution to Stack Spoof + Indirect

  • BOF in-memory execution

  • Shellcode injection

  • PowerShell with script execution + AMSI/ETW bypass

  • Behavior control

    • HTTP: callback host, user-agent, and proxy

    • Syscall control (spoof + indirect, spoof only, none)

    • Mask beacon

    • Mask heap

    • BOF Proxy

    • Working time

    • Killdate (exit / self-delete / date)

    • Injection technique (standard / stomping)

    • Allocation method (standard / APC)

    • Fork named pipe

    • Spawnto

    • AMSI/ETW bypass

    • BlockDLLs policy

    • Argument to spoof

    • PPID (parent process ID)

    • Sleep

    • Jitter

NextNews

Last updated